Cyber Posture

CVE-2025-27380

High

Published: 22 January 2026

Published
22 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0001 3.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27380 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Altium On-Prem Enterprise Server. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation
addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

XSS via HTML injection directly enables browser session hijacking to steal tokens/session data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.

Deeper analysisAI

CVE-2025-27380 is an HTML injection vulnerability (CWE-79) in the Project Release component of Altium Enterprise Server (AES) version 7.0.3, affecting all supported platforms. Published on 2026-01-22, it has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). The flaw enables an authenticated attacker to inject crafted HTML content, leading to the execution of arbitrary JavaScript in the victim's browser.

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) from the victim. Successful exploitation changes the scope (S:C), resulting in high confidentiality impact (C:H) through cross-site scripting, allowing the attacker to steal sensitive data visible in the victim's browser session, such as session tokens or user information, while having limited integrity (I:L) and no availability (A:N) impact.

For mitigation details, refer to the Altium security advisory at https://www.altium.com/platform/security-compliance/security-advisories.

Details

CWE(s)
CWE-79

Affected Products

altium
on-prem enterprise server
7.0.3 — 7.0.6

CVEs Like This One

CVE-2026-1010Same product: Altium On-Prem Enterprise Server
CVE-2025-27378Same product: Altium On-Prem Enterprise Server
CVE-2026-1008Same vendor: Altium
CVE-2026-1009Same vendor: Altium
CVE-2025-25203Shared CWE-79
CVE-2025-24414Shared CWE-79
CVE-2025-24417Shared CWE-79
CVE-2025-69392Shared CWE-79
CVE-2025-25612Shared CWE-79
CVE-2026-21311Shared CWE-79

References